HIPAA Compliance Checklist for Small Practices 2026

Why the HIPAA Security Rule Treats Every Practice the Same

The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) does not scale its enforcement expectations based on practice size. A solo family medicine physician and a 500-bed hospital are held to identical standards under the HIPAA Security Rule — and OCR's enforcement record makes that unmistakably clear.

Small practices frequently assume that limited patient volume reduces their breach risk or enforcement exposure. Neither assumption holds. Threat actors specifically target small healthcare providers because they operate with weaker security controls, older infrastructure, and minimal IT staff. OCR's audit program has documented this gap repeatedly: smaller covered entities consistently show higher rates of missing documentation, absent Business Associate Agreements, and untested contingency plans than their larger counterparts.

This HIPAA compliance checklist for small practices is designed to close the gap between what the HIPAA Security Rule requires and what most solo clinics, dental offices, and mental health practices have actually implemented. Working through each section will help you document your current posture, identify gaps, and build a remediation roadmap that satisfies OCR's required and addressable implementation specifications under 45 C.F.R. Part 164.

HIPAA compliance is not a one-time project — it is a living program that must evolve as your practice changes, new threats emerge, and regulations are updated. Pair this guide with our detailed HIPAA cybersecurity requirements overview to turn your checklist findings into a defensible compliance program.

Section 1: Administrative Safeguards (45 C.F.R. §164.308)

Administrative safeguards account for the largest share of the HIPAA Security Rule's required and addressable implementation specifications. They are also the most frequently cited area in OCR investigations because they demand written policies, documented training, and ongoing governance — exactly what small practices tend to handle informally or skip entirely.

Security Management Process (§164.308(a)(1))

Every covered entity must conduct a thorough risk analysis — an accurate assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all electronic Protected Health Information (ePHI) your organization creates, receives, maintains, or transmits. This is not a one-time project. OCR expects periodic reviews and a documented risk management plan that tracks how identified risks are being reduced to a reasonable and appropriate level.

Your risk analysis must be written — not verbal, not informal. OCR's single most common enforcement finding is a missing or undated risk analysis. The document should identify each ePHI system, assess the threats and vulnerabilities affecting it, and document the controls implemented in response.

Designated Security Official (§164.308(a)(2))

The regulation requires one individual — not a committee and not a vendor — to be formally designated as your Security Official, responsible for developing and implementing your HIPAA security policies. For small practices, this is often the practice owner or office manager. What matters is that the designation is documented and that the individual understands their responsibilities. Pairing that person with a qualified managed detection and response provider is a practical model for practices that cannot staff a dedicated security role.

Workforce Training and Access Management (§164.308(a)(3) and §164.308(a)(4))

All workforce members who interact with ePHI — including front desk staff, billing personnel, and clinical assistants — must receive security awareness training. The training must be documented, role-appropriate, and repeated when significant operational changes or new threat categories emerge. Generic annual video modules completed without attendance records rarely satisfy OCR's expectation of meaningful, ongoing security education.

Access authorization procedures must ensure that each user accesses only the ePHI necessary for their job function, consistent with HIPAA's minimum necessary standard. This means role-based access controls are configured in your Electronic Health Record (EHR) system — not just assumed.

Contingency Planning (§164.308(a)(7))

Your practice must have a documented contingency plan covering data backup, disaster recovery, emergency mode operations, and procedures for testing and revising those plans. Ransomware incidents — which routinely render ePHI inaccessible — have elevated this requirement from a formality to an operational necessity. A well-structured healthcare data breach prevention strategy provides a documentation framework that integrates directly with HIPAA contingency requirements and prepares your team to make breach-or-not determinations quickly under pressure.

Section 2: Physical Safeguards (45 C.F.R. §164.310)

Physical safeguards govern how your practice controls physical access to systems and media containing ePHI. OCR investigators consistently find violations in this area because small practices focus on digital security while overlooking the physical controls the regulation explicitly requires.

Facility Access Controls (§164.310(a)(1))

Your practice must implement policies and procedures to limit physical access to electronic information systems — and the facilities where they are housed — to authorized users only. For a typical small practice, this means locked server rooms or equipment closets with access logs maintained for all entries, visitor access policies requiring sign-in and escort procedures in areas where ePHI is accessible, and a documented process for revoking access credentials when a workforce member departs.

Workstation Use and Security (§164.310(b) and §164.310(c))

Every workstation that accesses ePHI must have a documented acceptable use policy defining how it may be used and the physical safeguards surrounding it. Screens displaying ePHI must not be visible to unauthorized individuals. In practice, this means screen privacy filters at check-in workstations in patient-facing areas and automatic lock timers configured to 15 minutes or fewer. These are low-cost controls that eliminate a significant category of incidental disclosure. Our guide to HIPAA compliance for dental offices addresses workstation security controls in shared operatory environments, with guidance that applies equally to any small practice floor plan.

Device and Media Controls (§164.310(d)(1))

Before any hardware is retired, donated, or transferred, you must document a process for sanitizing it — overwriting storage media or physically destroying it. This specification also requires tracking which hardware and media contain ePHI and maintaining a current inventory.

A missing workstation or stolen laptop is a reportable breach if the device held unencrypted ePHI. Encrypting all endpoints removes the breach notification obligation for stolen devices under HIPAA's Breach Notification Safe Harbor provision, making endpoint encryption and asset tracking one of the highest-return controls available to small practices. AES-256 is the accepted standard for ePHI at rest.

Section 3: Technical Safeguards (45 C.F.R. §164.312)

The HIPAA Security Rule's technical safeguards define the technology-side controls required to protect ePHI at rest and in transit. Unlike administrative and physical requirements, technical safeguards map directly to specific software configurations, infrastructure decisions, and access control mechanisms your IT environment must enforce.

Access Controls (§164.312(a)(1))

You must implement technical policies and procedures allowing only authorized persons to access ePHI. Four implementation specifications govern this standard:

• Unique user identification (Required): Assign each user a unique name or number for tracking system activity. Shared login credentials violate this requirement directly and are among the easiest gaps for OCR to identify in audit logs.
• Emergency access procedure (Required): Establish a process for obtaining ePHI during an emergency when normal access controls are unavailable — for example, during a ransomware attack or unplanned system outage.
• Automatic logoff (Addressable): Configure electronic procedures that terminate a session after a defined period of inactivity — 10 to 15 minutes on all ePHI-accessing systems.
• Encryption and decryption (Addressable): Implement a mechanism to encrypt and decrypt ePHI. OCR consistently expects encryption to be deployed — or a clearly documented rationale for why it is not — and has cited its absence in enforcement actions against small practices. AES-256 is the recommended standard for ePHI at rest.

Multi-factor authentication (MFA) is not explicitly named in the original text of the Security Rule but is strongly recommended under current OCR guidance as a control that satisfies access control requirements. Any system accessible over the internet — including cloud-based EHR platforms and billing portals — should require MFA.

Audit Controls (§164.312(b))

Audit controls carry no addressable alternative — you must implement hardware, software, and procedural mechanisms to record and examine activity in systems that contain ePHI. Your EHR system must generate access logs, those logs must be retained for a minimum of six years, and someone at your practice must review them on a defined schedule. Anomalous access patterns — a staff member pulling records outside their care team, or access from an unrecognized IP address — should trigger investigation. Modern Endpoint Detection and Response (EDR) solutions can automate much of this monitoring for small practices without dedicated IT resources.

Integrity Controls and Transmission Security (§164.312(c) and §164.312(e))

Integrity controls require that ePHI is not improperly altered or destroyed. Transmission security requires that ePHI sent over electronic communications networks is protected against unauthorized access. Any transmission of ePHI over public or untrusted networks — including email and patient portal communications — must use encryption.

Transport Layer Security (TLS) 1.2 or higher is the accepted standard for data in transit, and most modern EHR and email platforms support it by default. Verify that your configurations enforce TLS rather than permitting downgrade to unencrypted connections. NIST SP 800-66 Rev. 2 provides detailed implementation guidance for applying the Security Rule's technical safeguards across common healthcare IT environments.

Section 4: Business Associate Agreements (45 C.F.R. §164.308(b))

Any vendor, contractor, or service provider that creates, receives, maintains, or transmits ePHI on your behalf is a Business Associate (BA) under HIPAA. Before sharing any patient data with a BA, you must execute a written Business Associate Agreement (BAA) that contractually obligates them to protect ePHI and comply with applicable HIPAA provisions. This is a required specification with no workaround.

Small practices frequently miss BAAs with vendors they do not immediately associate with healthcare data. The following relationships commonly require a signed BAA:

• Cloud-based EHR and practice management software vendors
• Medical billing and revenue cycle management companies
• IT service providers and managed security partners with access to systems containing ePHI
• Medical transcription and dictation services
• Off-site records storage and document shredding companies
• Answering services that handle patient communications
• Cloud backup providers storing ePHI
• Telehealth platforms that transmit or store patient visit data

A valid BAA must contain specific elements: a description of permitted uses and disclosures of ePHI, obligations to report breaches within 60 days of discovery, requirements to safeguard ePHI in accordance with the Security Rule, and provisions for returning or destroying ePHI upon contract termination.

Executing a BAA does not transfer your compliance obligations. If your vendor suffers a breach attributable in part to your failure to vet their security posture, OCR can investigate both parties. Vet prospective BAs by requesting their most recent SOC 2 Type II report or ISO 27001:2022 certification before signing. Both frameworks provide independent evidence of security controls that align with HIPAA Security Rule requirements.

Section 5: HIPAA Privacy Rule Essentials (45 C.F.R. Part 164, Subpart E)

The HIPAA Privacy Rule governs how Protected Health Information (PHI) — in any format, not just electronic — may be used and disclosed. While the Security Rule focuses on ePHI, the Privacy Rule covers all PHI and carries its own required policies and patient rights obligations that small practices must address separately.

Notice of Privacy Practices

Every covered entity must provide patients with a Notice of Privacy Practices (NPP) describing how PHI is used and disclosed, patient rights regarding their health information, and how to file a complaint with HHS. The NPP must be posted prominently at your practice and made available on your website if you maintain one. Patients must receive the NPP at their first visit and must sign an acknowledgment of receipt — that acknowledgment record must be retained for six years.

Patient Rights and the Minimum Necessary Standard

Patients have the right to access, amend, and request an accounting of disclosures of their PHI. Your practice must have written procedures for responding to these requests within regulatory timeframes — 30 days for access requests, with a single 30-day extension permitted in limited circumstances.

All uses and disclosures of PHI must comply with the minimum necessary standard: disclose only the amount of information required to accomplish the intended purpose. This standard applies to internal access as well — workforce members should not access PHI beyond what their role requires. The role-based access controls in Section 3 enforce this technically; your access authorization procedures in Section 1 establish the policy foundation.

Common Privacy Rule Gaps in Small Practices

OCR enforcement patterns across small practices consistently surface the same Privacy Rule failures:

• Outdated or missing NPP: Practices that have not updated their Notice of Privacy Practices following regulatory changes, or that do not obtain and retain patient acknowledgments.
• Impermissible disclosures to family members: Sharing PHI with family members or caregivers without patient authorization or documented patient consent.
• Social media disclosures: Staff posting about patient cases — even without names — in ways that allow re-identification.
• Failure to honor access requests on time: Delays beyond the 30-day window or incomplete responses to patient requests for their records.

Section 6: Breach Notification and Civil Monetary Penalties (45 C.F.R. Part 164, Subpart D)

The HIPAA Breach Notification Rule requires covered entities to notify affected individuals, HHS, and in some cases prominent media outlets following a breach of unsecured ePHI. The notification timelines are strict and the financial exposure for non-compliance is substantial.

Notification Timeline Requirements

Individual notification must occur within 60 days of discovering a breach. If the breach affects 500 or more individuals in a single state, you must also notify prominent media outlets in that state within the same 60-day window. Breaches affecting 500 or more individuals must be reported to HHS simultaneously with individual notification; breaches affecting fewer than 500 individuals may be compiled into an annual log submitted to HHS within 60 days of the calendar year's end.

Documenting the breach discovery date is operationally essential — the 60-day clock starts when the breach is known or reasonably should have been known, not when your investigation concludes. Delaying a formal discovery determination to extend the investigation window is a compliance risk, not a legal strategy. Healthcare breach costs consistently rank highest among all industries, as documented in the IBM Cost of Data Breach Report 2024, and the notification process itself — legal review, patient communications, credit monitoring — drives a significant share of those costs.

A documented incident response plan provides the framework to make breach-or-not determinations quickly and accurately when time pressure is highest. Your plan should include explicit written criteria for assessing whether impermissible access constitutes a reportable breach, which staff members make that determination, and what notification workflows are triggered at each threshold.

What OCR Requests During an Investigation

When OCR initiates a compliance review — triggered by a breach report, a patient complaint, or a random desk audit — investigators typically request: your written risk analysis and risk management plan; a list of all systems and applications that access or store ePHI; sample audit logs from your EHR and network systems; workforce security training documentation including attendance records; copies of all executed Business Associate Agreements; your written HIPAA policies and procedures; and evidence that your contingency plan has been tested.

Practices that cannot produce these documents on demand are immediately positioned in the higher penalty tiers. Building and maintaining this documentation before an incident is your primary legal defense — and the core purpose of every item in this HIPAA compliance checklist for small practices.

The Five Most Common HIPAA Violations in Small Practices

OCR enforcement patterns reveal a consistent set of failures that appear across solo practices, group clinics, and specialty offices. Understanding where small practices most often fall short helps you prioritize remediation efforts — and makes the difference between a documented, good-faith compliance program and an enforcement target.

1. No documented risk analysis — The single most common finding in OCR investigations. Many practices assume a verbal security review satisfies the requirement. It does not. OCR expects a written document that identifies each ePHI system, assesses threats and vulnerabilities, and is reviewed at least annually. See HHS guidance on the HIPAA Security Rule for documentation standards that apply across all safeguard categories.
2. Missing Business Associate Agreements — Small practices routinely share ePHI with vendors — billing companies, IT providers, cloud storage services — without a signed BAA. Every BA relationship without a written agreement is a separate, independently penalizable violation.
3. Insufficient access controls — Shared login credentials, absent role-based access restrictions, and failure to terminate access when employees depart are the most frequently cited access control failures. Each instance of unauthorized ePHI access attributable to these gaps can be counted as a separate violation under OCR's penalty structure.
4. Untested contingency plans — A backup plan that has never been tested provides no assurance that ePHI can actually be recovered after a ransomware attack or hardware failure. OCR expects evidence that the plan works — not just that it exists on paper.
5. Inadequate training documentation — Security awareness training that cannot be demonstrated with completion records, dated materials, and role-appropriate content will not satisfy OCR's standard. A staff email reminder or informal walkthrough does not qualify.